US10776515B2ActiveUtilityA1

Data processing systems for fulfilling data subject access requests and related methods

Assignee: ONETRUST LLCPriority: Jun 10, 2016Filed: Feb 10, 2020Granted: Sep 15, 2020
Est. expiryJun 10, 2036(~9.9 yrs left)· nominal 20-yr term from priority
H04L 67/53H04L 63/108G06F 21/6245H04L 63/12G06F 2221/2137G06F 2221/2111H04L 63/20G06F 15/76H04L 63/102H04L 63/107G06F 21/31G06F 2221/2103G06F 21/552H04L 41/5029H04L 41/5064H04L 67/20
93
PatentIndex Score
3
Cited by
1,337
References
19
Claims

Abstract

Responding to a data subject access request includes receiving the request and identifying the requestor and source. In response to identifying the requestor and source, a computer processor determines whether the data subject access request is subject to fulfillment constraints, including whether the requestor or source is malicious. If so, then the computer processor denies the request or requests a processing fee prior to fulfillment. If not, then the computer processor fulfills the request.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
       1. A computer-implemented data processing method for responding to a data subject access request, the method comprising:
 receiving, by one or more computer processors, a data subject access request comprising one or more request parameters from a requestor at a source, wherein the one or more request parameters comprise one or more pieces of personal data associated with the requestor, and the source comprises a particular IP address or a particular domain; 
 identifying, by the one or more computer processors, the requestor based at least in part on the one or more request parameters; 
 identifying, by the one or more computer processors, the source of the data subject access request based at least in part on the requestor or source data associated with the data subject access request; 
 in response to identifying the requestor and the source of the data subject access request, determining, by the one or more computer processors, whether the data subject access request is subject to one or more response fulfillment constraints associated with the requestor or the source, wherein the one or more response fulfillment constraints comprise a quantity of data subject access requests from the requestor or the source within a period of time, and wherein determining whether the data subject access request is subject to one or more response fulfillment constraints comprises determining, by the one or more computer processors, whether the requestor is a malicious requestor or whether the source is a malicious source, and wherein determining whether the requestor is a malicious requestor comprises determining whether the data subject access request comprises one of a threshold quantity of data subject access requests from the requestor within a threshold period of time; 
 in response to determining that the data subject access request is subject to one or more response fulfillment constraints, denying, by the one or more computer processors, the data subject access request, or requesting, by the one or more computer processors, one or more processing fees prior to fulfilling the request; and 
 in response to determining that the data subject access request is not subject to one or more response fulfillment constraints, fulfilling, by the one or more computer processors, the data subject access request. 
 
     
     
       2. The computer-implemented data processing method of  claim 1 , wherein the source is selected from the group consisting of:
 a particular IP address associated with a competitor of an entity receiving the data subject access request; and 
 a particular domain associated with a competitor of the entity receiving the data subject access request. 
 
     
     
       3. The computer-implemented data processing method of  claim 2 , wherein the source is selected from the group consisting of:
 a particular IP address or a particular domain associated with a particular geographic region; 
 a particular IP address or a particular domain associated with a particular political group; and 
 a particular IP address or a particular domain associated with a particular protesting group. 
 
     
     
       4. The computer-implemented data processing method of  claim 1 , wherein the threshold time period comprises a single day. 
     
     
       5. The computer-implemented data processing method of  claim 1 , wherein determining whether the requestor is a malicious requestor comprises determining, by one or more computer processors, whether the requestor was previously and not currently employed by an entity receiving the data subject access request. 
     
     
       6. The computer-implemented data processing method of  claim 1 , wherein determining whether the requestor is a malicious requestor comprises determining that the requestor possesses a potential for malicious requests according to a stored rating assigned to the requestor in fulfillment request data associated with the requestor. 
     
     
       7. The computer-implemented data processing method of  claim 6 , wherein the stored rating is based on historical actions associated with the requestor. 
     
     
       8. The computer-implemented data processing method of  claim 1 , wherein determining whether the one or more limitations comprise denying the data subject access request or requesting one or more processing fees prior to fulfilling the request comprises analyzing, by one or more computer processors, a complaint history associated with the requestor. 
     
     
       9. The computer-implemented data processing method of  claim 1 , wherein determining whether the data subject access request is subject to one or more response fulfillment constraints further comprises analyzing, by one or more computer processors, a customer history associated with the requestor, and wherein determining whether the requestor is a malicious requestor comprises determining, based at least in part on the customer history whether the requestor is a malicious requestor. 
     
     
       10. The computer-implemented data processing method of  claim 9 , wherein the customer history associated with the requestor comprises one or more spending characteristics of the requestor. 
     
     
       11. The computer-implemented data processing method of  claim 10 , wherein if the one or more spending characteristics comprise an amount spent over a reference time period that exceeds a spending threshold, then in response to determining that the data subject access request is subject to one or more response fulfillment constraints requesting, by one or more computer processors, one or more processing fees prior to fulfilling the data subject access request. 
     
     
       12. A computer-implemented data processing method for responding to a data subject access request, the method comprising:
 receiving, by one or more computer processors, a data subject access request comprising one or more request parameters from a requestor at a source, wherein the one or more request parameters comprise one or more pieces of personal data associated with the requestor, and the source comprises a particular IP address or a particular domain; 
 in response to receiving the data subject access request, retrieving, by the one or more computer processors, fulfillment constraint data associated with the data subject access request from a repository server corresponding to a plurality of data subject access requests from a plurality of requestors and a plurality of data subject access request sources, wherein the fulfillment constraint data comprises a quantity of data subject access requests from the requestor or the source within a period of time; 
 determining, by the one or more computer processors, whether the requestor is a malicious requestor or whether the source is a malicious source based on the fulfillment constraint data and the one or more request parameters, wherein determining whether the requestor is a malicious requestor or whether the source is a malicious source comprises determining whether the data subject access request comprises one of a threshold quantity of data subject access requests from the requestor or the source within a threshold period of time; 
 in response to determining that the requestor is the malicious requestor or that the source is the malicious source, determining, by the one or more computer processors, whether the data subject access request is subject to one or more response fulfillment constraints; 
 in response to determining that the data subject access request is subject to the one or more response fulfillment constraints: 
 denying, by the one or more computer processors, the data subject access request, or 
 requesting, by the one or more processors, one or more processing fees prior to fulfilling the request. 
 
     
     
       13. The computer-implemented data processing method of  claim 12 , wherein the fulfillment constraint data comprises a stored rating assigned to the requestor, and wherein determining whether the requestor is a malicious requestor comprises determining that the requestor possesses a potential for malicious requests according to the stored rating. 
     
     
       14. The computer-implemented data processing method of  claim 13 , wherein the stored rating is based on historical actions associated with the requestor. 
     
     
       15. A computer-implemented data processing method for responding to a data subject access request, the method comprising:
 receiving, by one or more computer processors, a data subject access request comprising one or more request parameters from a requestor, wherein the one or more request parameters comprise one or more pieces of personal data associated with the requestor; 
 identifying, by the one or more computer processors, the requestor based at least in part on the one or more request parameters; 
 in response to identifying the requestor of the data subject access request, retrieving, by the one or more computer processors, fulfillment constraint data associated with the requestor, wherein the fulfillment constraint data comprises a stored rating assigned to the requestor, and the stored rating comprises a value assigned based on a source of the data subject access request or historical actions associated with the requestor; 
 determining, by the one or more computer processors, whether the requestor is a potentially malicious requestor based on the fulfillment constraint data, and wherein determining whether the requestor is a potentially malicious requestor comprises determining whether the data subject access request comprises one of a threshold quantity of data subject access requests from the requestor within a threshold period of time; 
 in response to determining that the requestor is potentially malicious, determining, by the one or more computer processors, whether the data subject access request is subject to one or more response fulfillment constraints; 
 in response to determining that the data subject access request is subject to the one or more response fulfillment constraints, denying, by the one or more computer processors, the data subject access request, or requesting, by the one or more computer processors, one or more processing fees prior to fulfilling the request; and 
 in response to determining that the data subject access request is not subject to one or more response fulfillment constraints, fulfilling, by the one or more computer processors, the data subject access request. 
 
     
     
       16. The computer-implemented data processing method of  claim 15 , wherein the source is selected from the group consisting of:
 a particular IP address associated with a competitor of an entity receiving the data subject access request; and 
 a particular domain associated with a competitor of the entity receiving the data subject access request. 
 
     
     
       17. The computer-implemented data processing method of  claim 15 , wherein the source is selected from the group consisting of:
 a particular IP address or a particular domain associated with a particular geographic region; 
 a particular IP address or a particular domain associated with a particular political group; and 
 a particular IP address or a particular domain associated with a particular protesting group. 
 
     
     
       18. The computer-implemented data processing method of  claim 15 , wherein the threshold period of time comprises a single day. 
     
     
       19. The computer-implemented data processing method of  claim 15 , wherein determining whether the requestor is a malicious requestor comprises determining, by one or more computer processors, whether the requestor was previously and not currently employed by an entity receiving the data subject access request.

Join the waitlist — get patent alerts

Track US10776515B2 — get alerts on status changes and closely related new filings.

We store only your email — no account needed. See our privacy policy.